1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Inactive Slow computer, Adware, Spyware, popups

Discussion in 'Malware and Virus Removal Archive' started by Justice, 2014/04/16.

Thread Status:
Not open for further replies.
  1. 2014/04/16
    Justice

    Justice Inactive Thread Starter

    Joined:
    2014/04/16
    Messages:
    1
    Likes Received:
    0
    [Inactive] Slow computer, Adware, Spyware, popups

    got a friends computer was tasked with cleaning it up its in bad shape

    Malwarebytes Anti-Malware
    www.malwarebytes.org


    Update, 4/16/2014 3:05:31 PM, SYSTEM, SIXLOVE-PC, Manual, Rootkit Database, 2014.2.20.1, 2014.3.27.1,
    Update, 4/16/2014 3:05:34 PM, SYSTEM, SIXLOVE-PC, Manual, Malware Database, 2014.3.4.9, 2014.4.16.10,

    (end)

    DDS (Ver_2012-11-20.01) - NTFS_x86
    Internet Explorer: 9.0.8112.16545 BrowserJavaVersion: 10.45.2
    Run by sixlove at 23:10:45 on 2014-04-16
    .
    ============== Running Processes ================
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\atiesrxx.exe
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\atieclxx.exe
    C:\Windows\System32\WUDFHost.exe
    C:\Windows\System32\spoolsv.exe
    C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
    C:\Program Files\AskPartnerNetwork\Toolbar\apnmcp.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\MyPC Backup\BackupStack.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Mobogenie\MgAssist.exe
    C:\Program Files\PCTechHotline\PCTechHotlineSvc.exe
    C:\Program Files\Common Files\Goobzo\GBUpdate\smu.exe
    C:\Windows\system32\STacSV.exe
    C:\Program Files\Common Files\Authentium\AntiVirus5\vsedsps.exe
    C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
    C:\Program Files\Common Files\Authentium\AntiVirus5\vseamps.exe
    C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe
    C:\Program Files\iolo\System Mechanic Professional\System Shield\ioloSSTray.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Mobogenie\DaemonProcess.exe
    C:\Windows\System32\wpcumi.exe
    C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
    C:\Program Files\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe
    C:\Users\sixlove\AppData\Local\Super Backup Online Backup\SMessaging.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Program Files\YTDownloader\YTDownloader.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Windows\ehome\ehtray.exe
    C:\Program Files\Common Files\Apple\Internet Services\iCloudServices.exe
    C:\Program Files\XPSMiniViewGadget\XPSMiniViewGadget.exe
    C:\Program Files\Common Files\Apple\Internet Services\ApplePhotoStreams.exe
    C:\Program Files\PC Drivers HeadQuarters\Driver Detective\DriversHQ.DriverDetective.Client.exe
    C:\Program Files\Driver Restore\Driver Restore\DriverRestore.exe
    C:\Program Files\Super Backup Online Backup\BackupAgent.exe
    C:\Program Files\Hoopla\GPlayer.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Program Files\McAfee Security Scan\3.8.130\SSScheduler.exe
    C:\Program Files\MyPC Backup\MyPC Backup.exe
    C:\Users\sixlove\AppData\Local\Super Backup Online Backup\Super Backup\SuperBackupApp.exe
    C:\Windows\ehome\ehmsas.exe
    C:\Windows\system32\taskeng.exe
    C:\Program Files\PCTechHotline\PCTechHotline.exe
    C:\Program Files\PCTechHotline\PCTHHook.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Windows\system32\msiexec.exe
    \\?\C:\Windows\system32\wbem\WMIADAP.EXE
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\servicing\TrustedInstaller.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k GPSvcGroup
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\svchost.exe -k bthsvcs
    C:\Windows\System32\svchost.exe -k HPZ12
    C:\Windows\System32\svchost.exe -k HPZ12
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Windows\system32\svchost.exe -k WindowsMobile
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.google.com
    uSearch Bar = hxxp://www.google.com/
    uDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=3071214
    uURLSearchHooks: {b7c6e3b0-bb6a-4a3e-a1e5-a23b1ddd32ee} - <orphaned>
    uURLSearchHooks: YTNavAssistPlugin Class: {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
    BHO: &Yahoo! Toolbar Helper: {02478D38-C3F9-4efb-9B51-7695ECA05670} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
    BHO: MSS+ Identifier: {0E8A89AD-95D7-40EB-8D9D-083EF7066A01} - c:\program files\mcafee security scan\3.8.130\McAfeeMSS_IE.dll
    BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
    BHO: WordExtra: {8BA97046-C600-4264-B367-5DEFD9FC505F} - c:\users\sixlove\appdata\roaming\wordextra\temp.dat
    BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
    TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    TB: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
    uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
    uRun: [cdloader] "c:\users\sixlove\appdata\roaming\mjusbsp\cdloader2.exe" MAGICJACK
    uRun: [iCloudServices] c:\program files\common files\apple\internet services\iCloudServices.exe
    uRun: [ApplePhotoStreams] c:\program files\common files\apple\internet services\ApplePhotoStreams.exe
    uRun: [Driver Detective] c:\program files\pc drivers headquarters\driver detective\DriversHQ.DriverDetective.Client.exe /applicationMode:systemTray /showWelcome:false
    uRun: [Driver Restore] c:\program files\driver restore\driver restore\DriverRestore.exe /applicationMode:systemTray /showWelcome:false
    uRun: [BackupAgent] c:\program files\super backup online backup\BackupAgent.exe
    uRun: [Exetender] "c:\program files\hoopla\GPlayer.exe" /runonstartup
    uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe "
    uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
    mRun: [Windows Defender] c:\program files\windows defender\MSASCui.exe -hide
    mRun: [CCUTRAYICON] "c:\program files\intel\inteldh\ccu\CCU_TrayIcon.exe "
    mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
    mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe "
    mRun: [WPCUMI] c:\windows\system32\WpcUmi.exe
    mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
    mRun: [FileAgent] c:\program files\filecenter\main\FileAgent.exe
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe "
    mRun: [SigmatelSysTrayApp] c:\program files\sigmatel\c-major audio\wdm\sttray.exe
    mRun: [ApnTBMon] "c:\program files\askpartnernetwork\toolbar\updater\TBNotifier.exe "
    mRun: [SMessaging] "c:\users\sixlove\appdata\local\super backup online backup\SMessaging.exe "
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe "
    mRun: [YTDownloader] "c:\program files\ytdownloader\YTDownloader.exe" /boot
    mRun: [PCTechHotline] "c:\program files\pctechhotline\PCTechHotline.exe" /STARTUP
    mRun: [mobilegeni daemon] c:\program files\mobogenie\DaemonProcess.exe
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe "
    mRunOnce: [ccube_Uninstall_Lock] "c:\programdata\ca\cacu_001.exe" /cleanup /RunOnce
    mRunOnce: [Qurb {EBA5BE5C}] <no file>
    dRun: [Exetender] "c:\program files\hoopla\GPlayer.exe" /runonstartup
    uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
    mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
    mPolicies-System: EnableUIADesktopToggle = dword:0
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office10\EXCEL.EXE/3000
    IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-001045-0002-0045-ABCDEFFEDCBC} - <orphaned>
    LSP: c:\windows\system32\wpclsp.dll
    LSP: c:\windows\system32\iavlsp.dll
    DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} -
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    TCP: NameServer = 167.206.13.180 167.206.13.181
    TCP: Interfaces\{6CC151F6-C8D3-4E5A-BB05-1495966C18CE} : DHCPNameServer = 167.206.13.180 167.206.13.181
    Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
    Handler: inbox - {37540F19-DD4C-478B-B2DF-C19281BCAF27} - <orphaned>
    Notify: PFW - <no file>
    LSA: Security Packages = kerberos msv1_0 schannel wdigest tspkg
    mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\26.0.1410.64\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\users\sixlove\appdata\roaming\mozilla\firefox\profiles\td5n09eh.default\
    FF - prefs.js: browser.search.selectedEngine - Conduit Search
    FF - prefs.js: browser.startup.homepage - hxxp://search.conduit.com/?ctid=CT3323128&octid=EB_ORIGINAL_CTID&SearchSource=55&CUI=&UM=4&UP=SPEEAE01FF-2049-402D-B7C9-92781BA27477&SSPV=
    FF - prefs.js: network.proxy.type - 0
    FF - plugin: c:\program files\adobe\reader 11.0\reader\air\nppdf32.dll
    FF - plugin: c:\program files\hoopla\npExentCtl.dll
    FF - plugin: c:\program files\hoopla\npGameTreatWidget.dll
    FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
    FF - plugin: c:\program files\mcafee security scan\3.8.130\npMcAfeeMSS.dll
    FF - plugin: c:\program files\televisionfanatic\bar\1.bin\NP64Stub.dll
    FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_12_0_0_77.dll
    FF - plugin: c:\windows\system32\npDeployJava1.dll
    FF - plugin: c:\windows\system32\npmproxy.dll
    FF - ExtSQL: 2014-02-21 19:00; korey@markus.me; c:\users\sixlove\appdata\roaming\mozilla\firefox\profiles\td5n09eh.default\extensions\korey@markus.me
    FF - ExtSQL: !HIDDEN! 2012-11-06 12:44; 64ffxtbr@TelevisionFanatic.com; c:\program files\televisionfanatic\bar\1.bin
    FF - ExtSQL: !HIDDEN! 2014-02-22 23:54; korey@markus.me; c:\program files\mozilla firefox\browser\extensions\korey@markus.me
    .
    ---- FIREFOX POLICIES ----
    FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
    ============= SERVICES / DRIVERS ===============
    .
    R? clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86
    R? DHTRACE;Intel(R) DHTrace Controller
    R? DQLWinService;DQLWinService
    R? KmxAMRT;KmxAMRT
    R? KmxCfg;KmxCfg
    R? McComponentHostService;McAfee Security Scan Component Host Service
    R? MCLServiceATL;Intel(R) Application Tracker
    R? NMSCore;Intel(R) NMSCore
    R? QualityManager;Intel(R) Quality Manager
    R? Ser2rs;Radioshack USB to Serial Driver
    R? vseqrts;vseqrts
    R? WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0
    S? AMD External Events Utility;AMD External Events Utility
    S? AMP;Active Malware Protection Minifilter Driver
    S? AMPSE;Active Malware Protection Support Driver
    S? APNMCP;Ask Update Service
    S? BackupStack;Computer Backup (MyPC Backup)
    S? ElRawDisk;ElRawDisk
    S? FontCache;Windows Font Cache Service
    S? IntelDH;IntelDH Driver
    S? ioloSystemService;iolo System Service
    S? KmxAgent;KmxAgent
    S? KmxCF;KmxCF
    S? KmxFile;KmxFile
    S? KmxFw;KmxFw
    S? KmxSbx;KmxSbx
    S? MBAMSwissArmy;MBAMSwissArmy
    S? MgAssistService;MgAssist Service
    S? nmsunidr;UniDriver for NMS
    S? PCTechHotlineSvc;PCTechHotlineService
    S? PDFsFilter;PDFsFilter
    S? sbmntr;sbmntr
    S? SMUpd;Search Module Update
    S? SMUpdd;Search Module UpdateD
    S? tStLib;tStLib
    S? vseamps;vseamps
    S? vsedsps;vsedsps
    S? VST_DPV;VST_DPV
    S? VSTHWBS2;VSTHWBS2
    S? X6XSEx_Pr152;X6XSEx_Pr152
    .
    =============== File Associations ===============
    .
    FileExt: .vbe: VBEFile=NOTEPAD.EXE "%1 "
    FileExt: .vbs: VBSFile=NOTEPAD.EXE "%1 "
    FileExt: .js: JSFile=NOTEPAD.EXE "%1 "
    FileExt: .jse: JSEFile=NOTEPAD.EXE "%1 "
    FileExt: .wsf: WSFFile=NOTEPAD.EXE "%1 "
    .
    =============== Created Last 30 ================
    .
    2014-04-16 19:05:29 107736 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
    2014-04-16 19:05:09 73432 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
    2014-04-16 19:05:09 51416 ----a-w- c:\windows\system32\drivers\mwac.sys
    2014-04-16 19:03:54 23256 ----a-w- c:\windows\system32\drivers\mbam.sys
    2014-04-16 19:02:48 -------- d-----w- c:\programdata\Malwarebytes
    2014-04-16 19:02:48 -------- d-----w- c:\program files\Malwarebytes Anti-Malware
    2014-04-12 23:17:19 -------- d-----w- c:\users\sixlove\appdata\local\visi_coupon
    2014-03-22 04:14:07 55232 ----a-w- c:\windows\system32\drivers\tStLib.sys
    .
    ==================== Find3M ====================
    .
    2014-04-16 18:55:16 702 ----a-w- c:\windows\system32\ff.bin
    2014-04-16 18:54:33 530 ----a-w- c:\windows\system32\schtasks.bin
    2014-03-12 19:04:06 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2014-03-12 19:04:06 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
    2014-03-12 19:04:03 5777288 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe
    2014-03-07 23:12:00 1806848 ----a-w- c:\windows\system32\jscript9.dll
    2014-03-07 23:02:19 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
    2014-03-07 23:02:07 1129472 ----a-w- c:\windows\system32\wininet.dll
    2014-03-07 22:57:17 142848 ----a-w- c:\windows\system32\ieUnatt.exe
    2014-03-07 22:56:03 421376 ----a-w- c:\windows\system32\vbscript.dll
    2014-03-07 22:52:04 2382848 ----a-w- c:\windows\system32\mshtml.tlb
    2014-02-07 10:38:44 2050560 ----a-w- c:\windows\system32\win32k.sys
    2014-02-03 10:37:54 505344 ----a-w- c:\windows\system32\qedit.dll
    2014-01-30 07:46:58 876032 ----a-w- c:\windows\system32\wer.dll
    2014-01-17 21:24:12 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2014-01-17 21:24:12 69632 ----a-w- c:\windows\system32\QuickTime.qts
    .
    ============= FINISH: 23:11:38.98 ===============
     
    Justice,
    #1
  2. 2014/04/17
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    ====================================

    [​IMG] Step 1 in our preliminaries asks for installing some AV program if you don't have any.
    I don't see any AV program running.

    [​IMG] DDS produces two logs.
    I still need Attach.txt log from DDS.

    [​IMG] Re-run MBAM one more time and see what happens.
     
    broni,
    #2


  3. to hide this advert.

Thread Status:
Not open for further replies.

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...